Date: Fri, 18 Oct 1996 14:19:53 -0700 From: Julian Elischer <julian@whistle.com> To: Guido.vanRooij@nl.cis.philips.com Cc: freebsd-hackers@freebsd.org, Andrew.Tridgell@anu.edu.au Subject: Re: fix for symlinks in /tmp (fwd) FYI Message-ID: <3267F479.773C2448@whistle.com> References: <199610181859.UAA14544@spooky.lss.cp.philips.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Guido van Rooij wrote: > > ----- Forwarded message from Andrew Tridgell ----- > > The patch changes the kernels namei code so that symlinks will not be > followed if: > > 1) the t bit is set on the directory containing the symlink > and > 2) the euid of the process does not match the owner of the symlink. > > The patch explicitly includes root, so root will not be able to follow > symlinks in /tmp unless it owns them. > > I believe this change fixes all the "symlink-in-/tmp" style of > security holes while having a minimal impact on the normal use of > symlinks. I wonder if anyone can comment on this... My initial reaction is that it's breaking the expected behaviour or the system to do this.... If I see a symlink I expect it to be followed.. > > In case you don't think this change is necessary you should think > about how many recent security holes in unix-like systems have been > due to sloppy coding of programs that create files in /tmp. I also > noticed today that gcc is vulnerable to this kind of bug (as of > version 2.7.2), so potentially you can attack anyone who compiles > anything on your system. anyone from the BSD security group have comments? > > I know there have been other proposed generic fixes for this style of > bug, but they tend to suffer from the problem of requiring people to > change the way they work. The above fix should not be very noticeable > to normal users of a system. until they stumble over it. > Can anyone see any problems with this proposal? I just don't like it? julian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3267F479.773C2448>